Official installer file is about 22MB size while the sample is only 700kb.

Summary

The sample that we received is in PE installer file. Using TOR Project file icon. While in installation wizard, user will notice that there is no EULA appear on the screen:

The installer file is a malware dropper. Upon finished installation, the malware will not execute itself automatically. Thus, it will need user interaction to reboot their PC or run it manually from Start Menu.

If user run it from Start Menu, it will run itself from C:\Program Files\Tor Browser\Tor_Browser.exe. This PE file will then run another process from the following location:

C:\Users\<user profile>\AppData\Local\Temp\explorer.exe

Then run the %RANDOMNAME%.bat dropped at Windows Temporary folder. This will delete the previous file Tor_Browser.exe after the process has been terminated.